Book Excerpt: Kingpin—HowOneHackerTookOvertheBillionDollarCyberCrimeUnderground

Published Tuesday, the new book by Wired.com senior editor Kevin Poulsen tells the story of Max Vision, a white hat computer hacker who turned to the dark side. Among other things, Max stole credit card data — “dumps” — on millions of consumers, which he sold in bulk to a card counterfeiter named Chris Aragon. In this excerpt, a new discovery gives him a chance to expand his operation.

Pizza and Plastic

On the top floor of the Post Street Towers, Max’s computers sat on the wood veneer floor, silent and cool. Outside the bay window, shops and apartments were ready to unwittingly feed him bandwidth through his oversized antenna.

Max had gone dormant for a few months after accumulating a pile of cash from the Citibank operation; he’d abandoned his penthouse apartment and put his hacking on the backburner. But he couldn’t stay away long. He’d asked Chris to rent him a new safe house, one with more neighborhood Wi-Fi options than the last. “I just need a closet, I don’t need any space,” he’d said.

Kevin Poulsen
Kevin Poulsen is a senior editor at Wired.com, where he oversees cybercrime, privacy and political coverage, and edits the award-winning Threat Level blog. Kingpin is his first book.

Chris had delivered. There was ample Wi-Fi swimming around the Post Street Towers, and the apartment was indeed a closet: a 300-square foot studio that seemed scarcely larger than a prison cell. Decked out in blonde wood, with a Formica counter, full-sized fridge and a bed that unfolded from the wall, it was a clean and functional McApartment, bare of all distractions and able to provide the necessities for Max’s all-night hacking sprees. The high turnover in the building made him anonymous. Chris just had to flash a fake ID at the rental office, pay a $500 deposit and sign the six month lease.

Once his computers were plugged in, and his antenna was latched onto some patsy’s network, Max wasted little time in getting back on the job. As ever, he targeted fraudsters, and he developed some novel ways to steal from them. He monitored the alerts put out by an organization called the Anti-Phishing Working Group, staying on top of the latest phishing attacks. The alerts included the Web addresses of the phishing sites linked to the forged e-mails, allowing Max to hack the phishers’ servers, re-steal the stolen data, and erase the original copy, frustrating the phishers and grabbing valuable information at the same time.

Other attacks were less focused. Max was still plugged into the white hat scene, and he was on the private mailing lists where security holes often appeared for the first time. He had machines scanning the internet day and night for servers running vulnerable software, just to see what he’d turn up. He was scanning for a Windows server-side buffer overflow when he made the discovery that would lead to his public entry into the carding scene.

His scanning put him inside a Windows machine that, on closer inspection, was in the back office of a Pizza Schmizza restaurant in Vancouver, Washington; he knew the place, it was near his mother’s house. As he looked around the computer, he realized the PC was acting as the back-end system for the point-of-sale terminals at the restaurant — it collected the day’s credit card transactions and sent them in a single batch every night to the credit card processor. Max found that day’s batch stored as a plain text file, with the full magstripe of every customer card recorded inside.

Even better, the system was still storing all the previous batch files, dating back to when the pizza parlor had installed the system about three years earlier. It was some 50,000 transactions, just sitting there, waiting for him.

Max copied the files, then deleted them — they weren’t needed by Pizza Schmizza. After sorting, and filtering out the duplicate and expired cards, he was left with about 2,000 dumps.

For the first time, Max had a primary source, and they were virgin cards, almost guaranteed to be good.

Chris had been complaining about the staleness of some of Max’s dumps. That would end now. A customer could walk into the Pizza Schmizza, order a 12-inch pie for his family, and his credit card could be on Max’s hard drive while the leftovers were still cooling in the garbage. Once he was done organizing his numbers, Max gave Chris a taste. “These are extremely fresh,” he said. “They’re from two days ago.”

There was no way that Chris and his crew could metabolize the 50 dumps a day coming from the Pizza Schmizza. So Max decided to make his first forays into vending in the carding scene. He set himself up as “Generous,” and later “Digits,” and began making deals with known carders .

Max didn’t need the money the way he used to. He’d squandered most of his nest egg from the Citibank cash-outs, frittering it away on everything from handouts for the homeless to a $1,500 Sony AIBO robotic dog. But he wasn’t broke yet.

There was just one reason he was upping the ante now. He’d become addicted to life as a professional hacker. He loved the cat-and-mouse games, the freedom, the secret power. Cloaked in the anonymity of his safe house, he could indulge any impulse, explore every forbidden corridor of the net, satisfy every fleeting curiosity — all without fear of consequence, fettered only by the limits of his conscience. At bottom, the master criminal was still the kid who couldn’t resist slipping into his high school in the middle of the night and leaving his mark.

Max Vision

In June 2006, a stroke of good luck gave him a chance to expand. A serious security hole emerged in the software RealVNC, for virtual network console — a remote-control program used to administer Windows machines over the internet.

The bug was in the brief handshake sequence that opens every new session between a VNC client and the RealVNC server. A crucial part of the handshake comes when the server and client negotiate the type of security to apply to the session. It’s a two-step process: First, the RealVNC server sends the client a shorthand list of the security protocols the server is configured to support. The list is just an array of numbers: [2,5],for example, means the server supports VNC’s type 2 security, a relatively simple password authentication scheme, and type 5, a fully-encrypted connection.

In the second step, the client tells the server which of the offered security protocols it wants to use by sending back its corresponding number, like ordering Chinese food off a menu.

The problem was, RealVNC didn’t check the response from the client to see if it was on the menu in the first place. The client could send back any security type, even one the server hadn’t offered, and the server unquestioningly accepted it. That included type 1, which is almost never offered, because type 1 is no security at all — it allows you to log in to RealVNC with no password.

It was a simple matter to modify a VNC client to always send back type 1, turning it into a skeleton key. An intruder like Max could point his hacked software at any box running the buggy RealVNC software and instantly enjoy unfettered access to the machine.

Max started scanning for vulnerable RealVNC installations as soon as he learned of this gaping hole. He watched, stunned, as the results scrolled down his screen, thousands of them: computers at homes and college dorms; machines in Western Union offices, banks and hotel lobbies. He logged into some at random: in one, he found himself looking at the feeds from closed circuit video surveillance cameras in an office building lobby. Another was a computer at a Midwest police department, where he could listen in on 9-1-1 calls. A third put him in a home-owner’s climate control system; he raised the temperature 10 degrees and moved on.

Max's stolen credit card data fed into underground counterfeiting factories, like this one run by his partner Chris. Courtesy Newport Beach Police Department

A tiny fraction of the systems were more interesting, and also familiar from his ongoing intrusion into the Pizza Schmizza: they were restaurant point-of-sale systems. They were money.

Unlike the simple dumb terminals sitting on the counters of liquors stores and neighborhood grocers, restaurant systems had become sophisticated all-in-one solutions that handled everything from order taking to seating arrangements, and they were all based on Microsoft Windows. To support the machines remotely, service vendors were installing them with commercial backdoors, including VNC. With his VNC skeleton key, Max could open many of them at will.

So Max, who’d once scanned the entire U.S. military for vulnerable servers, now had his servers trolling the internet day and night, finding and cracking pizza joints, Italian ristorantes, French bistros and American-style grills; he harvested magstripe data everywhere he found it.

Max’s scanning machinery had several moving parts. The first was aimed at finding VNC installations by performing a high-speed “port sweep” — a standard reconnaissance technique that relies on the internet’s openness and standardization.

From the start, the network’s protocols were designed to let computers juggle a variety of different types of connections simultaneously — today that can include e-mail, Web traffic, file transfers, and hundreds of other more esoteric services. To keep it all separate, a computer initiates new connections with two pieces of information: the IP address of the destination machine, and a virtual “port” on that machine — a number from 0 to 65,535 — that identifies the type of service the connection is seeking. The IP address is like a phone number; and a port is akin to a telephone extension you read off to the switchboard operator so he can send your call to the right desk.

Port numbers are standardized and published online. E-mail software knows to connect to port 25 to send a message; Web browsers connect to port 80 to retrieve a website. If a connection on the specified port is refused, it’s like an unanswered extension; the service you’re looking for isn’t available at that IP address.

Max was interested in port 5900 — the standard port for a VNC server. He set his machines sweeping through broad swaths of internet address space, sending to each a single 64-byte synchronization packet that would test whether port 5900 was open for service.

The addresses that answered his sweep streamed into a PERL script Max wrote that connected to each machine and tried to log in through the RealVNC bug.

If it got in, the program grabbed some preliminary information about the computer: the name of the machine, and the resolution and color depth of the monitor. Max snubbed computers with low-quality displays, on the assumption that they were home PCs and not businesses. It was a high-speed operation: Max was running on five or six servers at once, each capable of zipping through a Class B network, over 65,000 addresses, in a couple of seconds. His list of vulnerable VNC installations grew by about 10,000 every day.

The point-of-sale systems were needles in a massive haystack. He could spot some just from the name: “Aloha” meant the machine was likely an Aloha POS made by Atlanta-based Radiant Systems, his favorite target. “Maitre’D” was a competing product from Posera Software in Seattle. The rest of them took some guesswork. Any machine with a name like “Server,” “Admin” or “Manager” needed a second look.

Slipping in over his VNC client, Max could see what was on the computer’s screen, as though standing right in front of it. Since he worked at night, the display on the dormant PC was usually dark, so he’d nudge his mouse to clear the screen saver. If there was anyone in the room, it might have been a little spooky: remember that time your computer monitor flipped on for no reason, and the cursor twitched? It might have been Max Vision taking a quick look at your screen.

Soon, Max was wired into eateries throughout America. A Burger King in Texas. A sports bar in Montana. A trendy nightclub in Florida. A California grill. He moved up to Canada, and found still more.

Max had gotten his start vending by stealing the dumps from a single restaurant. Now he had as many as a hundred feeding him credit card data in near real-time. Digits would be doing a lot more business.